Optus hack explained

Hundreds of thousands of Optus accounts have been vulnerable to phone hacking of voicemails without using a PIN, in a security flaw revealed by an 18-year-old university student.

The flaw was only resolved earlier this month after Fairfax Media raised a series of questions about the vulnerability, which also exposed Optus customers to identity theft through unauthorised access to social media services Google, Facebook and LinkedIN.

The flaw allowed anyone to "spoof" a victim's number using easily available technology and retrieve the phone number's voicemail. The practice of spoofing involves a hacker changing their phone's caller ID to a victim's mobile number.

Fairfax Media and Mr Shah gave Optus and other technology companies just over a week to fix the issue before publishing details about the flaw.

Optus first acknowledged caller ID spoofing in July 2011 when it was reported defunct UK tabloid News of the World was using similar techniques to hack into the voicemail of high-profile people.

"With regards to spoofing, we are looking at multiple options to address this emerging industry-wide threat, including technical solutions and customer education," Optus said then.

Mr Shah reported the issue to Optus on May 2 and said it also affected Optus resellers Live Connected, Dodo, Vaya Telecom, Yatango, Amaysim, iiNet, TPG and Exetel.

In a blog post provided to Fairfax prior to publication, Mr Shah said he found the flaw after discovering a telephone number Optus makes available to travellers was not checking for a PIN when customers used it to retrieve voicemail.

Instead, it was only verifying the voicemail request from the incoming mobile number.

This meant that when Mr Shah used a caller ID spoofing service, such as SpoofCard, he could access any Optus customer or Optus reseller customers' voicemail account.

Fairfax Media witnessed Mr Shah accessing voicemails using the system. In the demonstration Mr Shah only accessed voicemails with the phone owner's permission.

"It is concerning that it doesn't require a PIN when you call from the victim's number when spoofed, mainly because God knows what's in their voicemail," Mr Shah said in an interview. "It could be messages relating to something that's really fatal, critical."

An Optus spokesman said the telco had resolved the vulnerability "after restoring additional security measures".

Optus had "found no evidence" that customers were affected.

"Customers who tried to access their voicemail from outside of the Optus mobile network such as when overseas, were required to enter a PIN," the spokesman said. "A recent investigation found that in some instances, customers would not be prompted for a PIN."

It is understood the security vulnerability was introduced in the second half of last year after Optus received a number of complaints from customers who couldn't access voicemail while roaming overseas.

While the change let roaming customers access their voicemail it also mistakenly introduced a security vulnerability that the telco apparently didn't know about.

The flaw also allowed outsiders to retrieve Optus customers' two-factor authentication codes, or tokens, used to access their social media accounts including Google, Facebook and LinkedIN.

These codes – which come in handy as a second layer of security when online log-in credentials are stolen – are usually sent via text message but can also be sent via a phone call and end up in voicemail.

After being contacted by Mr Shah, Facebook and LinkedIN told him they had stopped security tokens being sent to users through telephone calls until they could stop them going to voicemail.

In an email from a LinkedIN employee Mr Shaw was told: "While the potential impact for our members is limited, we have made the decision to temporality (sic) turn off the voice option in our Two-Step verification setting. We are working with the third-party vendor we use for this service to implement a fix."

Google told Mr Shah the security issue was Optus' problem to fix, writing in an email: "We've taken a look at your submission and can confirm this is not a security vulnerability in a Google product. The attack presupposes a compromised password, and the actual vulnerability appears to lie in the fact that the Telcos provide inadequate protection of their voicemail system."

Troy Hunt, a Sydney security researcher, said it wasn't acceptable for telcos to use mobile numbers as a single means of authentication for voicemail as they could be easily spoofed, as proved by Mr Shah.

Mr Hunt added that hackers could have used the flaw in targeted attacks but that it was unlikely it could have be used in an automated attack to steal dozens of users' private information.

"The attacker has to manually single someone out and then get everything to line up just right," he said.

Ty Miller, director of IT security firm Threat Intelligence, said the ability to bypass two-factor authentication was a significant flaw that needed immediate attention by all affected parties.

"It is concerning to everyone when a key security measure like two-factor authentication fails us on such a grand scale with such a simple attack technique," Mr Miller said.

17 comments

So in other words the accounts were hacked , not accidentally accessed, and as far as I am aware deliberately accessing another persons voicemail (or social media) without their permission is against the law as we see in the UK at the moment. The article by highlighting how to do this seems to be condoning anyone who is willing to attempt it. Bizarre article.

Commenter

Mitch

Location

Sydney

Date and time

May 17, 2014, 1:10PM

There are many bizarre things in this country.

Commenter

The Other Guy1

Date and time

May 17, 2014, 1:30PM

Should't it be fixed by now?Anyway, what about those complaining being unable to remember their own pin for a voicemail box?SMH is not condoning anything, Optus got enough time to fix, before SMH went public.I see it as an indication, how easy it was to do and I am surprised it even existed.

Commenter

nailer

Location

Sydney

Date and time

May 17, 2014, 2:25PM

So whats your point? Yes they were hacked because there was no security (or easily circumventable security) employed

Commenter

Dave

Location

Melbounre

Date and time

May 17, 2014, 3:02PM

Really so I suppose is should all be kept in the dark as if it never happened, reporting something is not the same as condoning it.

Commenter

Kosta

Location

Brighton

Date and time

May 17, 2014, 4:22PM

Optus is under the pump... Their mobile network in Sydney is also in pain. Numerous Optus mobile users I know are not being able to receive calls with the caller getting a message 'The Optus mobile network is temporarily unavailable'. And often SMS messages will not go through...Has anyone else had these issues recently?

Commenter

Opless

Date and time

May 17, 2014, 4:32PM

Recently? for years I have only 1 in 5 voicemail messages actually getting recorded.. I often get an SMS say xxxxx number has called but no message left - but they have, and it's not there. And that when I get a sms at all.

Whenever I call Optus about it they say either the VM system is switched off (by who - not by me), or there is nothing wrong and they can't tell me why my messages are not getting through

I live in a suburban area, with a mixture of single/double story homes, less than 1.5km away from the nearest tower, and most the time I get no signal in the home. When I do I get one bar.

Commenter

Opinion, not cash for comment

Date and time

May 18, 2014, 9:55AM

This sort of "vulnerability" was known of 20+ years ago when Voice Mail systems started using CLID for direct mailbox access - and the answer back then was that any call not originating from the directly controlled network (like a PSTN call to the general access number) would require a PIN for mailbox access.

This is what happens when you have data people running voice networks with no experience or understanding of 100+ years of voice network operation or management.

Commenter

DC

Location

Melbourne

Date and time

May 17, 2014, 5:57PM

Don't worry. It's just the media 'reminding' you they're still on top of this sort of thing. You know... Whatever the media says goes, right?

Commenter

Kel

Date and time

May 18, 2014, 6:52PM

Dave the point is it is against the law , there was security but it was hacked by a guy using a certain tool which the author in his wisdom then decided to show everybody. So if someones voicemail is hacked on another carrier using this method and the individual who is hacked is put in danger then who is liable? Guess who ... and its not the carrier as we see in the UK.

Subscribe to IT Pro

Follow Us

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.